A bug was patched in Git repository
Git repository patched a serious vulnerability on Tuesday that could lead to arbitrary code execution when a developer uses a malicious repository. Developers behind the open-source development Git tool pushed out Git 2.17.1, to address the two bugs. These were vulnerabilities that required the Git hosting services to patch the system. The security vulnerability in Git was reported through their bug bounty program. Github took measures to patch the vulnerability and blocked malicious content received. They have also taken measures to protect users that continue to use outdated clients. Github urges all users to update to the latest version of Git. The following versions of GitHub Enterprise included the fix: 2.10.22, 2.11.16, 2.12.10, and 2.13.2.
The vulnerability is a submodule configuration flaw that surfaces when the Git submodule configuration is cloned. Git provides developers with post checkout hooks, which are executed within the context of the project. These hooks are defined within the submodules, and submodules can be malicious and directed to execute code. The software does not properly validate submodule names supplied by the untrusted .gitmodules file when appending them to the $GIT_DIR/modules directory. A remote repository can return altered data to create or overwrite files on the target user's system when the repository is cloned, which causes arbitrary code to be executed on the target system.
The issue is that a rogue submodule can trick Git into running code it shouldn't outside the context of the repository. This can allow a hacker to steal data, pull down a web shell, plant a cryptominer or even own the machine that the Git repository clone is run on. The vulnerabilities are unusual because the bugs allows hackers to target the developer tool chain rather than the software itself.
Submodule folder names are now examined more closely by Git clients. They can no longer contain ".." as a path segment, and they cannot be symbolic links, so they must be within the .gitrepository folder, and not in the actual repository's working directory. Git will now refuse to work with repositories that contain a submodule configuration like this. And Visual Studio Team Services, along with most other hosting providers, will actively reject someone from pushing repositories that contain such a submodule configuration, to help protect clients that haven't yet upgraded.
Researcher Etienne Stalmans is credited for discovering the vulnerability via GitHub's bug bounty program. Credit for fixing the bugs goes to Jeff King and Johannes, Schindelin and others. The patches made available Tuesday cover both bugs. In addition to the fixes, the new release adds support on the server side that reject pushes to repositories that attempt to create such problematic .gitmodules file etc. as tracked contents, to help hosting sites protect their customers with older clients.